The Spanish Data Protection Agency has concluded its investigation into the cyber attack and emphasizes that MAPFRE acted diligently and transparently
The Spanish Data Protection Agency (AEPD) has concluded its investigation into the cyber attack suffered by MAPFRE during the month of August last year, emphasizing the company’s diligent actions and transparency in making the attack public.

In particular, the AEPD stressed that the impact in terms of the volume of data violated “was almost zero” since “the exfiltration (data extraction) attempts were detected and prevented which, together with the speed in making the cyber attack public, enabled clients, employees, collaborators and providers to act effectively, thereby minimizing the impact.” It also made a point of stating that there have been no complaints from third parties to the Spanish Data Protection Agency.

The investigation into the incident found that MAPFRE “had reasonable technical and organizational measures to prevent this type of incident, which enabled the rapid identification, analysis and classification of the security breach.”

Additionally, the Agency described MAPFRE’s reaction to the incident as “diligent,” and highlighted its speed in notifying both the Spanish National Cybersecurity Institute (INCIBE), the National Cryptologic Center (CCN-CERT) and the police, as well as the Agency itself on how the situation was evolving. “MAPFRE’s rapid communication with clients, collaborators, providers and employees made an effective response to the attack possible,” concluded the Director of the Agency in her resolution, which also highlighted efforts made in terms of transparency, as the attack was also reported to the security teams of MAPFRE’s major business partners.

The Data Protection Agency’s investigation gave an account of the series of events that occurred after the cyber attack was detected and how MAPFRE acted diligently and quickly by activating all protocols, crisis committees and business continuity plans to contain and prevent the spread of the attack, while security measures were strengthened, not only in Spain but also in other countries.

In a short time, it was possible to restore service to clients, but even so it took a few days for the quality of service provision to return to normal for all services. For this reason, MAPFRE decided to compensate all clients who were affected by this incident.

MAPFRE is working continually to strengthen its security measures and increase control levels in order to protect both the business and the data of its clients.

View the AEPD Resolution here.